bisecting cause commit starting from 25e73aadf297d78cf528841795cd37bad8320642 building syzkaller on 3de7aabbb79a6c2267f5d7ee8a8aaa83f63305b7 testing commit 25e73aadf297d78cf528841795cd37bad8320642 with gcc (GCC) 8.1.0 kernel signature: 9d17d2ab328eca887350cb05feb65626ff1b1641 all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: c0424d7dc54b1ec0df33dff36c41113084e28754 all runs: OK # git bisect start 25e73aadf297d78cf528841795cd37bad8320642 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8213 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 0dc81cea9d9fa07355865d16fb771408904dcded all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 4176 revisions left to test after this (roughly 12 steps) [9b326948c23908692d7dfe56ed149840d3829eaa] Merge tag 'firewire-update' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 testing commit 9b326948c23908692d7dfe56ed149840d3829eaa with gcc (GCC) 8.1.0 kernel signature: b2ee652d1b931e0b6335a346c475e743a004a978 all runs: OK # git bisect good 9b326948c23908692d7dfe56ed149840d3829eaa Bisecting: 2089 revisions left to test after this (roughly 11 steps) [9feb1af97e7366b512ecb9e4dd61d3252074cda3] Merge tag 'for-linus-20191205' of git://git.kernel.dk/linux-block testing commit 9feb1af97e7366b512ecb9e4dd61d3252074cda3 with gcc (GCC) 8.1.0 kernel signature: 4d8bcdea50f1006edec9cd3b58f60398988d89cc all runs: OK # git bisect good 9feb1af97e7366b512ecb9e4dd61d3252074cda3 Bisecting: 1041 revisions left to test after this (roughly 10 steps) [fce34dec76d93311f90f1f077e1eba3605a3771c] Merge tag 'platform-drivers-x86-v5.5-2' of git://git.infradead.org/linux-platform-drivers-x86 testing commit fce34dec76d93311f90f1f077e1eba3605a3771c with gcc (GCC) 8.1.0 kernel signature: 162c140e923f6e78bb5ba7c91c1e038bad5db516 all runs: OK # git bisect good fce34dec76d93311f90f1f077e1eba3605a3771c Bisecting: 520 revisions left to test after this (roughly 9 steps) [be7a7729207797476b6666f046d765bdf9630407] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY testing commit be7a7729207797476b6666f046d765bdf9630407 with gcc (GCC) 8.1.0 kernel signature: b30d585925aee311002171b841fd8d7ebf699c10 all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering # git bisect bad be7a7729207797476b6666f046d765bdf9630407 Bisecting: 222 revisions left to test after this (roughly 8 steps) [78bac77b521b032f96077c21241cc5d5668482c5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 78bac77b521b032f96077c21241cc5d5668482c5 with gcc (GCC) 8.1.0 kernel signature: 37107a555de01cd10b2e48f02d92bed0d85cf1a6 all runs: OK # git bisect good 78bac77b521b032f96077c21241cc5d5668482c5 Bisecting: 111 revisions left to test after this (roughly 7 steps) [54fa49ee88138756df0fcf867cb1849904710a8c] net: dsa: sja1105: Reconcile the meaning of TPID and TPID2 for E/T and P/Q/R/S testing commit 54fa49ee88138756df0fcf867cb1849904710a8c with gcc (GCC) 8.1.0 kernel signature: 5f4ab0494cc6ab3c4207d3367e1b0faacb47837a all runs: OK # git bisect good 54fa49ee88138756df0fcf867cb1849904710a8c Bisecting: 55 revisions left to test after this (roughly 6 steps) [f4b3974602a5b527b22c3a0dc61ba71190ea2aa5] Merge tag 'linux-kselftest-5.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit f4b3974602a5b527b22c3a0dc61ba71190ea2aa5 with gcc (GCC) 8.1.0 kernel signature: 69c369348b84ebdf5f6a8160c545db07ab9a0736 all runs: OK # git bisect good f4b3974602a5b527b22c3a0dc61ba71190ea2aa5 Bisecting: 26 revisions left to test after this (roughly 5 steps) [738d2902773e30939a982c8df7a7f94293659810] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 738d2902773e30939a982c8df7a7f94293659810 with gcc (GCC) 8.1.0 kernel signature: fe4e41bc52a6f33d379478fd76189c4d07939e51 all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering # git bisect bad 738d2902773e30939a982c8df7a7f94293659810 Bisecting: 14 revisions left to test after this (roughly 4 steps) [cc2f36ec7188e48c2afb1428fc3ce18884ad634b] Merge tag '5.5-rc3-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 testing commit cc2f36ec7188e48c2afb1428fc3ce18884ad634b with gcc (GCC) 8.1.0 kernel signature: 8976ffb356397238d8f13410fdee053e7f67d268 all runs: OK # git bisect good cc2f36ec7188e48c2afb1428fc3ce18884ad634b Bisecting: 7 revisions left to test after this (roughly 3 steps) [fd6988496e79a6a4bdb514a4655d2920209eb85d] Linux 5.5-rc4 testing commit fd6988496e79a6a4bdb514a4655d2920209eb85d with gcc (GCC) 8.1.0 kernel signature: 45cc21e1591ed222e1d461aac540ebdd90088f9f all runs: OK # git bisect good fd6988496e79a6a4bdb514a4655d2920209eb85d Bisecting: 3 revisions left to test after this (roughly 2 steps) [04b69426d846cd04ca9acefff1ea39e1c64d2714] hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() testing commit 04b69426d846cd04ca9acefff1ea39e1c64d2714 with gcc (GCC) 8.1.0 kernel signature: f5de9d031f1acefe7dfcffae0c0af8957d19f520 all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering # git bisect bad 04b69426d846cd04ca9acefff1ea39e1c64d2714 Bisecting: 1 revision left to test after this (roughly 1 step) [853697504de043ff0bfd815bd3a64de1dce73dc7] tcp: Fix highest_sack and highest_sack_seq testing commit 853697504de043ff0bfd815bd3a64de1dce73dc7 with gcc (GCC) 8.1.0 kernel signature: b3c1d523c49a9cb758f993bff54912ab66c467e5 all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering # git bisect bad 853697504de043ff0bfd815bd3a64de1dce73dc7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a33121e5487b424339636b25c35d3a180eaa5f5e] ptp: fix the race between the release of ptp_clock and cdev testing commit a33121e5487b424339636b25c35d3a180eaa5f5e with gcc (GCC) 8.1.0 kernel signature: 81d1f50d88d7c22200bd95dc6333abfeee5c404c all runs: OK # git bisect good a33121e5487b424339636b25c35d3a180eaa5f5e 853697504de043ff0bfd815bd3a64de1dce73dc7 is the first bad commit commit 853697504de043ff0bfd815bd3a64de1dce73dc7 Author: Cambda Zhu Date: Fri Dec 27 16:52:37 2019 +0800 tcp: Fix highest_sack and highest_sack_seq >From commit 50895b9de1d3 ("tcp: highest_sack fix"), the logic about setting tp->highest_sack to the head of the send queue was removed. Of course the logic is error prone, but it is logical. Before we remove the pointer to the highest sack skb and use the seq instead, we need to set tp->highest_sack to NULL when there is no skb after the last sack, and then replace NULL with the real skb when new skb inserted into the rtx queue, because the NULL means the highest sack seq is tp->snd_nxt. If tp->highest_sack is NULL and new data sent, the next ACK with sack option will increase tp->reordering unexpectedly. This patch sets tp->highest_sack to the tail of the rtx queue if it's NULL and new data is sent. The patch keeps the rule that the highest_sack can only be maintained by sack processing, except for this only case. Fixes: 50895b9de1d3 ("tcp: highest_sack fix") Signed-off-by: Cambda Zhu Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: b3c1d523c49a9cb758f993bff54912ab66c467e5 parent signature: 81d1f50d88d7c22200bd95dc6333abfeee5c404c revisions tested: 16, total time: 4h1m30.692525107s (build: 1h45m48.985477724s, test: 2h14m6.772646274s) first bad commit: 853697504de043ff0bfd815bd3a64de1dce73dc7 tcp: Fix highest_sack and highest_sack_seq cc: ["cambda@linux.alibaba.com" "davem@davemloft.net" "edumazet@google.com"] crash: KASAN: use-after-free Read in tcp_check_sack_reordering ================================================================== BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1852 [inline] BUG: KASAN: use-after-free in tcp_check_sack_reordering+0x2ef/0x360 net/ipv4/tcp_input.c:891 Read of size 4 at addr ffff8880a7d84ca8 by task syz-executor.2/8381 CPU: 0 PID: 8381 Comm: syz-executor.2 Not tainted 5.5.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 tcp_highest_sack_seq include/net/tcp.h:1852 [inline] tcp_check_sack_reordering+0x2ef/0x360 net/ipv4/tcp_input.c:891 tcp_try_undo_partial net/ipv4/tcp_input.c:2727 [inline] tcp_fastretrans_alert+0xe2f/0x2550 net/ipv4/tcp_input.c:2844 tcp_ack+0x1f61/0x5aa0 net/ipv4/tcp_input.c:3707 tcp_rcv_established+0x830/0x2260 net/ipv4/tcp_input.c:5698 tcp_v4_do_rcv+0x526/0x790 net/ipv4/tcp_ipv4.c:1562 sk_backlog_rcv include/net/sock.h:954 [inline] __release_sock+0x10b/0x330 net/core/sock.c:2437 release_sock+0x4f/0x180 net/core/sock.c:2953 sk_stream_wait_memory+0x4df/0xcb0 net/core/stream.c:145 tcp_sendmsg_locked+0xb2e/0x37f0 net/ipv4/tcp.c:1394 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1434 inet_sendmsg+0x8f/0xb0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 __sys_sendto+0x1f2/0x2e0 net/socket.c:1985 __do_sys_sendto net/socket.c:1997 [inline] __se_sys_sendto net/socket.c:1993 [inline] __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1993 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45aff9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007efe0ada9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007efe0adaa6d4 RCX: 000000000045aff9 RDX: ffffffffffffff67 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: ffffffffffffff4f R10: 00000000040007bd R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000992 R14: 00000000004cacca R15: 000000000075bf2c Allocated by task 8381: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:521 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slab.c:3263 [inline] kmem_cache_alloc_node+0x138/0x760 mm/slab.c:3575 __alloc_skb+0xa7/0x570 net/core/skbuff.c:197 alloc_skb_fclone include/linux/skbuff.h:1099 [inline] sk_stream_alloc_skb+0x278/0xbb0 net/ipv4/tcp.c:877 tcp_sendmsg_locked+0xa3d/0x37f0 net/ipv4/tcp.c:1284 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1434 inet_sendmsg+0x8f/0xb0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 __sys_sendto+0x1f2/0x2e0 net/socket.c:1985 __do_sys_sendto net/socket.c:1997 [inline] __se_sys_sendto net/socket.c:1993 [inline] __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1993 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8384: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x83/0x320 mm/slab.c:3694 kfree_skbmem+0xfd/0x130 net/core/skbuff.c:644 __kfree_skb+0x15/0x20 net/core/skbuff.c:680 sk_eat_skb include/net/sock.h:2468 [inline] tcp_recvmsg+0x163a/0x24e0 net/ipv4/tcp.c:2166 inet_recvmsg+0x110/0x6a0 net/ipv4/af_inet.c:838 sock_recvmsg_nosec net/socket.c:873 [inline] sock_recvmsg+0xb7/0xf0 net/socket.c:891 __sys_recvfrom+0x327/0x3f0 net/socket.c:2042 __do_sys_recvfrom net/socket.c:2060 [inline] __se_sys_recvfrom net/socket.c:2056 [inline] __x64_sys_recvfrom+0xdc/0x1a0 net/socket.c:2056 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a7d84c80 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 40 bytes inside of 456-byte region [ffff8880a7d84c80, ffff8880a7d84e48) The buggy address belongs to the page: page:ffffea00029f6100 refcount:1 mapcount:0 mapping:ffff88821b76ac40 index:0x0 raw: 00fffe0000000200 ffffea00025897c8 ffffea00023d3408 ffff88821b76ac40 raw: 0000000000000000 ffff8880a7d84000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a7d84b80: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff8880a7d84c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a7d84c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a7d84d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a7d84d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================